实例介绍
【实例简介】
ISO29134 个人信息保护标准,是ISO个人信息保护系列标准之一。
BS ISO/IEC 29134: 2017 INTERNATIONAL ISO/IEC STANDARD 29134 First editic 2017-06 Information technology- Security techniques Guidelines for privacy Impact assessment Technologies de l'information- Techniques de securite- Lignes directrices pour l'evaluation impacts sur la vie privee Reference number SolEC IS0/EC29134:2017(E C ISO/IEC 2017 BS ISO/IEC 29134: 2017 Iso/EC29134:2017(E) △ COPYRIGHT PROTECTED DOCUMENT C)ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any mears, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either iso at the address below or ISo's member body in the country of the requester. Iso copyright office Ch de blandonnet 8. CP 401 CH-1214 Vernier Geneva Switzerland Tel,+41227490111 Fax+41227490947 copyright@isa. org www.isc.org C ISO/IEC 2017 ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Contents Foreword Introduction… Scope 12345 Normative references Terms and definitions Abbreviated terms.… Preparing the grounds for PIA 11344 5.1 Benefits of carrying out a PIa 5.2 Objectives of PlA reporting 5.3 Accountability to conduct a PIa 5.4 Scale of a pla 6 Guidance on the process for conducting a PIA 6.1 General 6.2 Determine whether a Pla is necessary (threshold analysis) 6.3 Preparation of the pia ……7 6.3.1 Set up the pia team and provide it with direction 6.3.2 Prepare a Pia plan and determine the necessary resources for conducting the pla 9 6.3.3 Describe what is being assessed 10 6.3.4 Stakeholder engagement 6.4 Perform the pia 13 6. 4.1 Identify information flows of Pll 13 6.4.2 Analyse the implications of the use case 14 6.4.3 Determine the relevant privacy safeguarding requirements15 6.4.4 Assess privacy risk 16 6.4.5 Prepare for treating privacy risks 6.5 Follow up the PlA 23 6.5.1 Prepare the report 23 6.5.2 Publication 24 6.5.3 Implement privacy risk treatment plans 24 6.5.4 Review and/or audit of the PIA 垂的乐分 25 6.5.5 Reflect changes to the process 26 7 PIA report,…,… 26 7.1 General 26 7.2 Report structure 7.3 Scope of Pla 如和面正面“ 27 7.3.1 Process under evaluation 27 7.3.2 Risk criteria 29 7.3.3 Resources and people involved 29 7. 3 4 Stakeholder consultation 29 7.4 Privacy requirements 29 1.5 Risk assessment E主a 29 7.5.1 Risk sources 29 7.5.2 Threats and their likelihood 29 7.5.3 Consequences and their level of impact 30 7.5.4 Risk evaluation 30 7.5.5 Compliance analysis 30 76 Risk treatment plan……11130 7. 7 Conclusion and decisions 30 7.8 PIA publi lic summary 30 Annex A [informative) Scale criteria on the level of impact and on the likelihood 32 O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 Iso/EC29134:2017(E) Annex B (informative) Generic threats 34 Annex C (informative) Guidance on the understanding of terms used 38 Annex D (informative)Illustrated examples supporting the PlA process 40 Bibliography 42 C ISO/IEC 2017-AI ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Foreword ISo (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of Iso or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work In the field of information technology, Iso and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISo/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of iso documents should be noted This document was drafted in accordance with the editorialrulesoftheISO/IECDirectives,Part2(seewww.iso.org/directives) Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/ or ontheIsolistofpatentdeclarationsreceived(seewww.iso.org/patents Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement For an explanation on the voluntary nature of standards, the meaning of ISo specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade(TBt)see the following Url:www.iso.org/iso/foreword.html This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 Iso/EC29134:2017(E) Introduction A privacy impact assessment (PIA)is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information(PIl) and, in consultation with stakeholders, for taking actions as necessary in order to treat privacy risk. A PIA report may include documentation about measures taken for risk treatment, for example, measures arising from the use of the information security management system (ISMS)in ISO/IEC 27001. A PlA is more than a tool: it is a process that begins at the earliest possible stages of an initiative, when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that continues until, and even after, the project has been deployed Initiatives vary substantially in scale and impact. Objectives falling under the heading of "privacy will depend on culture, societal expectations and jurisdiction This document is intended to provide scalable guidance that can be applied to all initiatives Since guidance specitic to all circumstances cannot be prescriptive, the guidance in this document should be interpreted with respect to individual circumstance A Pll controller may have a responsibility to conduct a Pla and may request a Pll processor to assist in doing this, acting on the Pll controller's behalf. a Pll processor or a supplier may also wish to conduct their own pla A supplier's Pla information is especially relevant when digitally connected devices are part of the information system, application or process being assessed. It may be necessary for suppliers of such devices to provide privacy-relevant design information to those undertaking the PIA. When the provider of digital devices is unskilled in and not resourced for PlAs, for example: a small retailer or a small and medium-sized enterprise ( Sme) using digitally connected devices in the course of its normal business operations hen, in order to enable it to undertake minimal PIA activity, the device supplier may be called upon to provide a great deal of privacy information and undertake its own Pia with respect to the expected pil principal/SME context for the equipment they supply A PIA is typically conducted by an organization that takes its responsibility seriously and treats PIl principals adequately. In some jurisdictions, a Pla may be necessary to meet legal and regulatory requirements This document is intended to be used when the privacy impact on Pll principals includes consideration of processes, information systems or programmes, where he responsibility for the implementation and or delivery of the process, information system or programme is shared with other organizations and it should be ensured that each organization operly addresses the identified risks; an organization is performing privacy risk management as part of its overall risk management effort while preparing for the implementation or improvement of its iSMS (established in accordance with ISO/IEC 27001 or equivalent management system); or an organization is performing privacy risk management as an independent function; an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership programme) in which the future Pll controller organization is not known yet, with the result that the treatment plan could not get implemented directly and, therefore, this treatment plan should become part of corresponding legislation, regulation or the contract instead the organization wants to act responsible towards the Pll principals C ISO/IEC 2017-AI ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Controls deemed necessary to treat the risks identified during the privacy impact analysis process may be derived from multiple sets of controls, including iso/iec 27002 (for security controls) and ISO/EC 29151(for Pll protection controls or comparable national standards, or they may be defined by the person responsible for conducting the PIA, independently of any other control set O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 【实例截图】
【核心代码】
ISO29134 个人信息保护标准,是ISO个人信息保护系列标准之一。
BS ISO/IEC 29134: 2017 INTERNATIONAL ISO/IEC STANDARD 29134 First editic 2017-06 Information technology- Security techniques Guidelines for privacy Impact assessment Technologies de l'information- Techniques de securite- Lignes directrices pour l'evaluation impacts sur la vie privee Reference number SolEC IS0/EC29134:2017(E C ISO/IEC 2017 BS ISO/IEC 29134: 2017 Iso/EC29134:2017(E) △ COPYRIGHT PROTECTED DOCUMENT C)ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any mears, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either iso at the address below or ISo's member body in the country of the requester. Iso copyright office Ch de blandonnet 8. CP 401 CH-1214 Vernier Geneva Switzerland Tel,+41227490111 Fax+41227490947 copyright@isa. org www.isc.org C ISO/IEC 2017 ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Contents Foreword Introduction… Scope 12345 Normative references Terms and definitions Abbreviated terms.… Preparing the grounds for PIA 11344 5.1 Benefits of carrying out a PIa 5.2 Objectives of PlA reporting 5.3 Accountability to conduct a PIa 5.4 Scale of a pla 6 Guidance on the process for conducting a PIA 6.1 General 6.2 Determine whether a Pla is necessary (threshold analysis) 6.3 Preparation of the pia ……7 6.3.1 Set up the pia team and provide it with direction 6.3.2 Prepare a Pia plan and determine the necessary resources for conducting the pla 9 6.3.3 Describe what is being assessed 10 6.3.4 Stakeholder engagement 6.4 Perform the pia 13 6. 4.1 Identify information flows of Pll 13 6.4.2 Analyse the implications of the use case 14 6.4.3 Determine the relevant privacy safeguarding requirements15 6.4.4 Assess privacy risk 16 6.4.5 Prepare for treating privacy risks 6.5 Follow up the PlA 23 6.5.1 Prepare the report 23 6.5.2 Publication 24 6.5.3 Implement privacy risk treatment plans 24 6.5.4 Review and/or audit of the PIA 垂的乐分 25 6.5.5 Reflect changes to the process 26 7 PIA report,…,… 26 7.1 General 26 7.2 Report structure 7.3 Scope of Pla 如和面正面“ 27 7.3.1 Process under evaluation 27 7.3.2 Risk criteria 29 7.3.3 Resources and people involved 29 7. 3 4 Stakeholder consultation 29 7.4 Privacy requirements 29 1.5 Risk assessment E主a 29 7.5.1 Risk sources 29 7.5.2 Threats and their likelihood 29 7.5.3 Consequences and their level of impact 30 7.5.4 Risk evaluation 30 7.5.5 Compliance analysis 30 76 Risk treatment plan……11130 7. 7 Conclusion and decisions 30 7.8 PIA publi lic summary 30 Annex A [informative) Scale criteria on the level of impact and on the likelihood 32 O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 Iso/EC29134:2017(E) Annex B (informative) Generic threats 34 Annex C (informative) Guidance on the understanding of terms used 38 Annex D (informative)Illustrated examples supporting the PlA process 40 Bibliography 42 C ISO/IEC 2017-AI ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Foreword ISo (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of Iso or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work In the field of information technology, Iso and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISo/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of iso documents should be noted This document was drafted in accordance with the editorialrulesoftheISO/IECDirectives,Part2(seewww.iso.org/directives) Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/ or ontheIsolistofpatentdeclarationsreceived(seewww.iso.org/patents Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement For an explanation on the voluntary nature of standards, the meaning of ISo specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade(TBt)see the following Url:www.iso.org/iso/foreword.html This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 Iso/EC29134:2017(E) Introduction A privacy impact assessment (PIA)is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information(PIl) and, in consultation with stakeholders, for taking actions as necessary in order to treat privacy risk. A PIA report may include documentation about measures taken for risk treatment, for example, measures arising from the use of the information security management system (ISMS)in ISO/IEC 27001. A PlA is more than a tool: it is a process that begins at the earliest possible stages of an initiative, when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that continues until, and even after, the project has been deployed Initiatives vary substantially in scale and impact. Objectives falling under the heading of "privacy will depend on culture, societal expectations and jurisdiction This document is intended to provide scalable guidance that can be applied to all initiatives Since guidance specitic to all circumstances cannot be prescriptive, the guidance in this document should be interpreted with respect to individual circumstance A Pll controller may have a responsibility to conduct a Pla and may request a Pll processor to assist in doing this, acting on the Pll controller's behalf. a Pll processor or a supplier may also wish to conduct their own pla A supplier's Pla information is especially relevant when digitally connected devices are part of the information system, application or process being assessed. It may be necessary for suppliers of such devices to provide privacy-relevant design information to those undertaking the PIA. When the provider of digital devices is unskilled in and not resourced for PlAs, for example: a small retailer or a small and medium-sized enterprise ( Sme) using digitally connected devices in the course of its normal business operations hen, in order to enable it to undertake minimal PIA activity, the device supplier may be called upon to provide a great deal of privacy information and undertake its own Pia with respect to the expected pil principal/SME context for the equipment they supply A PIA is typically conducted by an organization that takes its responsibility seriously and treats PIl principals adequately. In some jurisdictions, a Pla may be necessary to meet legal and regulatory requirements This document is intended to be used when the privacy impact on Pll principals includes consideration of processes, information systems or programmes, where he responsibility for the implementation and or delivery of the process, information system or programme is shared with other organizations and it should be ensured that each organization operly addresses the identified risks; an organization is performing privacy risk management as part of its overall risk management effort while preparing for the implementation or improvement of its iSMS (established in accordance with ISO/IEC 27001 or equivalent management system); or an organization is performing privacy risk management as an independent function; an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership programme) in which the future Pll controller organization is not known yet, with the result that the treatment plan could not get implemented directly and, therefore, this treatment plan should become part of corresponding legislation, regulation or the contract instead the organization wants to act responsible towards the Pll principals C ISO/IEC 2017-AI ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Controls deemed necessary to treat the risks identified during the privacy impact analysis process may be derived from multiple sets of controls, including iso/iec 27002 (for security controls) and ISO/EC 29151(for Pll protection controls or comparable national standards, or they may be defined by the person responsible for conducting the PIA, independently of any other control set O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 【实例截图】
【核心代码】
标签:
好例子网口号:伸出你的我的手 — 分享!
相关软件
小贴士
感谢您为本站写下的评论,您的评论对其它用户来说具有重要的参考价值,所以请认真填写。
- 类似“顶”、“沙发”之类没有营养的文字,对勤劳贡献的楼主来说是令人沮丧的反馈信息。
- 相信您也不想看到一排文字/表情墙,所以请不要反馈意义不大的重复字符,也请尽量不要纯表情的回复。
- 提问之前请再仔细看一遍楼主的说明,或许是您遗漏了。
- 请勿到处挖坑绊人、招贴广告。既占空间让人厌烦,又没人会搭理,于人于己都无利。
关于好例子网
本站旨在为广大IT学习爱好者提供一个非营利性互相学习交流分享平台。本站所有资源都可以被免费获取学习研究。本站资源来自网友分享,对搜索内容的合法性不具有预见性、识别性、控制性,仅供学习研究,请务必在下载后24小时内给予删除,不得用于其他任何用途,否则后果自负。基于互联网的特殊性,平台无法对用户传输的作品、信息、内容的权属或合法性、安全性、合规性、真实性、科学性、完整权、有效性等进行实质审查;无论平台是否已进行审查,用户均应自行承担因其传输的作品、信息、内容而可能或已经产生的侵权或权属纠纷等法律责任。本站所有资源不代表本站的观点或立场,基于网友分享,根据中国法律《信息网络传播权保护条例》第二十二与二十三条之规定,若资源存在侵权或相关问题请联系本站客服人员,点此联系我们。关于更多版权及免责申明参见 版权及免责申明
网友评论
我要评论